rusackas opened a new pull request, #41211: URL: https://github.com/apache/superset/pull/41211
### SUMMARY Continues the fix for the failing **Embedded SDK Release** job (after #41207 OIDC migration, #41206 stderr visibility, #41210 token clearing). **Progress so far:** #41210 cleared the placeholder token, which moved the error from `E404` (npm tried a bogus token) to `ENEEDAUTH` (npm has no auth) — and critically, npm *still* performed **no OIDC exchange at all** (zero OIDC/`id-token` activity in the run logs), despite npm 11.13 and `id-token: write` on the job. Two causes remained, indistinguishable from the current logs: 1. `actions/setup-node` with `registry-url` writes an `.npmrc` `_authToken=` line that suppresses OIDC even when the token is empty, **or** 2. GitHub isn't actually granting the OIDC id-token to this job. This PR settles it in one run: - **Omit `registry-url`** from setup-node, so no `.npmrc` auth line is written at all. npm then authenticates via OIDC against the default registry (`registry.npmjs.org`). This is the leading fix. - **Add a non-leaking diagnostic step** that prints whether `ACTIONS_ID_TOKEN_REQUEST_URL` is present, i.e. whether GitHub OIDC was granted to the job. ### EXPECTED OUTCOMES (read the "Check OIDC availability" step in the run) - **"OIDC available: yes" + job green** → fixed; `0.4.0` publishes with provenance. - **"OIDC available: yes" + still ENEEDAUTH** → points to the npmjs.com Trusted Publisher config (exact repo + workflow-filename match), not the workflow. - **"OIDC available: no"** → GitHub isn't issuing the id-token (e.g. org-level restriction); we'd pursue org settings or fall back to a token. ### TESTING INSTRUCTIONS After merge, the next push to `master` runs *Embedded SDK Release*; inspect the "Check OIDC availability" step and the publish result per the matrix above. The diagnostic step can be removed in a follow-up once publishing is confirmed green. ### ADDITIONAL INFORMATION - [ ] Has associated issue: - [ ] Required feature flags: - [ ] Changes UI - [ ] Includes DB Migration (follow approval process in [SIP-59](https://github.com/apache/superset/issues/13351)) - [ ] Introduces new feature or API - [ ] Removes existing feature or API 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
